Banks demand decryption option as part of forthcoming TLS 1.3 web security standard

New TLS 1.3 web security standard might clash with banks' regulatory compliance requirements, financial institutions claim

Technology companies are loggerheads with major banks over a security protocol that is responsible for protecting internet traffic.

The disagreement relates to an update to the Transport Layer Security (TLS) security protocol, which encrypts web browsing, communication and IoT apps.

TLS 1.3, which will bring into force a new range of protections for connected technology, is set to be finally agreed within weeks, with a final version expected in March.

The details will be presented at an upcoming meeting of the Internet Engineering Task Force (IETF), which is responsible for generating and enforcing standards to protect the internet and keep firms in check.

But, according to Cyberscoop, group members have been taken by surprise with new arguments from financial organisations and banks to water down the standard.

I'm not going to build a decryption feature in. If I did, I might as well quit my job

They are not only unhappy with the time and effort needed to comply with the standard, but also argue that it could be damaging to their businesses.

The Financial Services Roundtable, which is made of around one hundred of the largest financial organisations and banks in the US, supports an "option for negotiation of visibility in the datacentre".

Financial firms argue that they need a way to decrypt enterprise network connections in order for them to implement data protection in line with their regulatory compliance obligations.

However, many supporters of the standard argue that their proposals would promote unauthorised decryption - putting internet security at risk. They have told the banks that there are other options they could consider that would address their concerns.

Speaking to CyberScoop, Microsoft senior security manager Janet Jones said banks are trying to undermine internet security.

She said that they are "pushing the TLS working group to create a decryption option as part of the specification". But she believes that the standards group will not give in to their demands.

Companies such as Google, Microsoft and Facebook have already criticised the proposal from the banks. They agree that it would put internet users in danger.

Jones added: "We went to the banks and said 'there are ways to do what you want to do. But you need to build that appliance on your own'. I'm not going to build a decryption feature in. If I did, I might as well quit my job."